February 12, 2015

Snowden would not have been able to legally "wiretap anyone"

(UPDATED July 5, 2017)

During his very first interview, former NSA contractor Edward Snowden pretended that he, sitting behind his desk "certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, or even the President if I had a personal e-mail".

Right from the beginning, intelligence experts doubted that individual NSA analysts would have such far-reaching powers. By looking at the legal authorities and procedures that regulate NSA's collection efforts, it becomes clear that it is highly unlikely that Snowden, or other analysts could have done that in a legitimate way.

Targeting US citizens under FISA authority

The National Security Agency (NSA) collects foreign signals intelligence outside the US, but in a few special cases, it is also allowed to collect data about US citizens or to collect data inside the US. This is shown in the following decision tree:

Diagram with a decision tree showing the various legal authorities
under which NSA can collect Signals Intelligence (SIGINT)(click to enlarge)

In the interview, Snowden was talking about wiretapping ordinary US citizens as well as US government officials. According to the Foreign Intelligence Surveillance Act (FISA) from 1978, the NSA is only allowed to monitor the communications of such US citizens, US residents or US corporations when they are suspected of espionage or terrorism.

If NSA thinks that's the case, then they have to apply for an individual warrant from the Foreign Intelligence Surveillance Court (FISC) by showing that there is probable cause that the intended target is an agent of a foreign power (section 105 FISA/50 USC 1805), or associated with a group engaged in international terrorism. Depending on the type of surveillance, the FISC then issues a warrant for a period of 90 days, 120 days, or a year.

Acquiring an individual FISA warrant

So, when Snowden really had the authority to wiretap ordinary Americans and US government officials even up to the President, then he would have had to provide probable cause that these people were either foreign agents or related to terrorist groups.

For the President this would only be imaginable in films or television series, and it would only apply to very few other Americans. In other cases the NSA would and will not get a FISA warrant to eavesdrop on US citizens or residents.

Snowden often said that he sees the FISA Court as a mere "rubber stamp" because it approves almost all requests from the intelligence agencies. However that may be, obtaining an individual FISA warrant isn't easy: a request needs approval of an analyst's superior, the NSA's general counsel, and the Justice Department, before it is presented to the FISA judge.*

Collection under section 702 FAA

Maybe some people would ask: wouldn't it be easier to target US persons through the PRISM program, under which NSA collects data from major US internet companies like Facebook, Google, Yahoo, Microsoft?

The answer is no, despite the fact that PRISM is governed by section 702 of the FISA Amendments Act (FAA), which was designed to collect data faster and easier. As such, section 702 was enacted in 2008 to legalize the notorious warrantless wiretapping program, authorized by president George W. Bush right after the attacks of 9/11.

But what many people don't realize, is that the special authority of section 702 FAA can only be used to collect communications of non-US persons located outside the United States.

The NSA uses section 702 not only to gather data through the PRISM program, but also by filtering internet backbone cables operated by major US telecommunication providers, in order to grab the communications associated with specific e-mail addresses. This is called Upstream collection.

(click to enlarge)

Section 702 FAA certifications

What makes section 702 FAA collection faster is that instead of an individual warrant from the FISA Court, NSA gets a general warrant for some specific topics, which is valid for one year.

For this, the US Attorney General and the Director of National Intelligence (DNI) annually certify that specific legal requirements for the collection of time-sensitive and higher volumes of data have been met and how these will be implemented.

These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like hiding names and addresses of US citizens when their communications come in unintended. The court then issues an order that approves the certification.

Until now, we know of section 702 FAA certifications for three topics:

These certifications include some general procedures and specific rules for minimizing US person identifiers. They do not contain lists of individual targets. Maybe this contributed to Snowden's idea that analysts are allowed to select targets all by themselves. But even then, this only applies to foreign targets and only to a few specific categories.

Dual authorities

In a report by The Washington Post from July 5, 2014, it was said that Snowden, in his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center, had "unusually broad, unescorted access to raw SIGINT under a special ‘Dual Authorities’ role", which reportedly refers to both section 702 FAA (for collection inside the US) and EO 12333 (for collection overseas).

Those two authorities allowed him to search stored content and initiate new collection without prior approval of his search terms. "If I had wanted to pull a copy of a judge’s or a senator’s e-mail, all I had to do was enter that selector into XKEYSCORE", so he did not need to circumvent [access] controls, Snowden said to the Post.

So, when Snowden apparently had the 702 FAA and EO 12333 authorities, this means he wasn't authorized to target American judges or senators, in the sense of initiating real-time wiretapping, because for that the traditional FISA authority and a warrant from the FISC is needed. It looks like he confirms this by saying "If I had wanted to pull a copy of a judge’s or a senator’s e-mail", which sounds more like pulling such an e-mail from a database.

This also seems to be confirmed by the fact that Snowden points to XKeyscore for getting such e-mails. XKeyscore is mainly used to search data that already have been collected in one way or another, particularly at access points outside the US. The common way to start new surveillances is through the Unified Targeting Tool (UTT, see below).

Backdoor searches

Indeed there's a legal way to search for communications of US persons in data that have already been collected: according to an entry in an NSA glossary published by The Guardian in August 2013, the FISA Court on October 3, 2011 allowed using certain US person names and identifiers as query terms on data already collected under 702 FAA:

This became known as "back-door searches". These queries might be questionable, but unlike the term "back-door" suggests, they are not illegal, as the practice was approved by the FISA Court. In a letter to senator Wyden from June 2014, DNI Clapper revealed that not only NSA, but also CIA and FBI are allowed to query already collected 702 FAA data in this way.

In August 2014, former State Department official John Napier Tye revealed that NSA is also allowed to use US person names to query data collected under EO 12333, but only those that have been approved by the Attorney General and for persons considered to be agents of a foreign power.

Backdoor search approvals

Clapper explained that these backdoor queries are subject to oversight and limited to cases where there is "a reasonable basis to expect the query will return foreign intelligence". Querying by using US person identifiers is only allowed for data from PRISM, not from Upstream collection. In 2013, NSA approved 198 US person identifiers to be queried against the results of PRISM collection.

The PCLOB report (pdf) about 702 FAA operations says that "content queries using U.S. person identifiers are not permitted unless the U.S. person identifiers have been pre-approved (i.e., added to a white list) through one of several processes, several of which incorporate other FISA processes".

The NSA's Minimization Procedures from October 2011 also say that US person identifiers may only be used as query terms after prior internal approval (as is the case with such queries under EO 12333).

For such searches, NSA for example approved identifiers of US persons for whom there were already individual warrants from the FISA Court under section 105 FISA or section 704 FAA. US person identifiers can also be approved by the NSA’s Office of General Counsel after showing that using that US person identifier would "reasonably likely return foreign intelligence information". All approvals to use US person identifiers to query content must be documented.

Circumventing official procedures

So far, we examined the legal options for analysts to get access to American e-mails, but in an interview from June 10, 2013, Glenn Greenwald explained that the "authority" Snowden was talking about, was not an authority in a legal sense.

According to Greenwald, Snowden meant that "NSA have given [analysts] the power to be able to go in and scrutinize the communications of any American; it may not be legal, but they have the power to do it".

So it may not be legally allowed that "any analyst at any time can target anyone, any selector, anywhere", but they may have the technical capability to do so. In other words, wiretapping anyone is only possible when analysts (intentionally) circumvent the official procedures and safeguards.

In this interpretation, Snowden apparently warned against the risk that individual analysts could misuse their power, which contradicts his claim earlier on in the interview, saying he that the whole agency "targets the communications of everyone" and then ingests, filters, analyses and stores them.

Unified Targeting Tool

Illegally intercepting American e-mails by circumventing official procedures could be conducted by manipulating targeting instructions given through the Unified Targeting Tool (UTT), which is a webbased tool that is used to start the actual collection of data.

A rogue analyst could for example confirm that there's a FISA warrant, when there's not, or provide a fake foreigness indicator, so someone could be targeted under the authority of Executive Order 12333, which doesn't require the procedure of acquiring a FISA court approval.

A rare screenshot of the Unified Targeting Tool (UTT), which shows some of the
fields that have to be filled in. We see that data about a "FAA Foreign
Governments Cert." is missing and therefore not valid to task (see below),
and also a drop down menu with various Foreigness Factors.

Unfortunately no manual for this tool has been disclosed, although that would have been useful to learn more about internal safeguards to prevent misuse. The NSA itself also didn't release such documents, which could have contributed to more trust in the way they actually operate.

Targeting procedures

We have no details about the NSA's internal procedure for intercepting individual US citizens, but we do know about the process for collection under the PRISM program.

As PRISM is used for collecting data about foreigners, it can be considered somewhat less restrictive than collecting data about US persons, for which there may be some extra safeguards and checks. The PRISM tasking process is shown in this slide:

Slide that shows the PRISM tasking process(click to enlarge)

We see that after the analyst has entered the selectors (like a target's phone number or e-mail address) into the UTT, this has to be reviewed and validated by (in this case) either the FAA adjudicators in the S2 Product Line, or the Special FISA Oversight unit.

A final review of the targeting request is conducted by the Targeting and Mission Management unit. Only then the selectors are released and put on lists which the FBI presents to the various internet companies, who will then pull the associated communications from their servers and systems.

For targeting foreigners on collection systems outside the US (which is governed by EO 12333), there are less restrictions, but also this is still not completely at the will of individual analysts. At least every eavesdropping operation has to be in accordance with the goals set in the NSA's Strategic Mission List and other policy documents.

Incidents

Nonetheless, recently declassified NSA reports to the president's Intelligence Oversight Board (IOB) show that there have been cases in which there was an abuse of the collection system, either wilfully or accidentally. The majority of incidents both under FISA and EO 12333 authority occured because of human error.

It shows that despite the safeguards, some unauthorized targeting and querying can still happen, but also that the internal oversight mechanisms detected them afterwards, with the selectors involved being detasked, the non-compliant data being deleted and the analysts being counseled.

Conclusion

Snowden talked as if it would be easy for NSA analysts to wiretap anyone, but as we have seen, the official procedures do not authorize targeting US persons. He apparently did have the authority to use US person identifiers for querying data that were already collected.

But contrary to what Snowden said, these queries are only allowed after prior approval, which makes it highly unlikely that e-mail addresses from American judges or senators, let alone from the President would make it through.

Without an easy legal way, Glenn Greenwald tried to rescue Snowden's claim by saying that it wasn't about legal authorities, but about the technical capabilities that enable NSA analysts to access American e-mails, whether that would be legal or not.

Internal NSA reports do show that it is possible to enter incorrect or unapproved e-mail addresses into the collection system, but also that most of these cases are (afterwards) detected by oversight systems.

(Edited after adding Greenwald's interpretation of Snowden's words and adding the non-compliance incidents. Also added an addendum about Snowden's authorities based upon a 2014 report by The Washington Post, and added an explanation about the back-door searches)

7 comments:

Anonymous
said...

Your whole argument centers around "in a legitimate way." Snowden's point was that he, and many others, had the ability to target anyone he chose. There may well have been some nominal legal safeguards against his doing so -- although practices such as LOVEINT suggest that those safeguards aren't particularly effective -- but that doesn't negate the fact that he *could*.

if they are audited, why did the NSA not know Snowden had copied information until it was announced and then didn't know *what* information was copied?: "Misuse of NSA's collection systems is also prevented by internal and external oversight afterwards, including regular audits of the activities of analysts.".

The way Snowden told this in the interview clearly suggested that he was authorized, in the sense of officially allowed, to "wiretap anyone". That made his statement disturbing. Not the fact that it would be possible to collect someone's communications illegally.

There would be a problem when the agency as such had the legal authority to misuse its capabilities against US citizens, not some individual employees, as NSA as a whole is trying to do everything to just prevent that.

In an agency with over 30,000 employees it's almost impossible to prevent any kind of mistakes or misuse, like the LOVINT you mentioned, but most of these cases have been detected by the various oversight mechanisms and they account for only a tiny percentage of the overal number of intelligence activities.

The fact that Snowden wasn't caught while downloading all those documents surely seems to be a security failure, but it's different from starting the interception of someone's communications. We don't know it for sure, but until now it seems that even Snowden wasn't able to get access to higher level compartments, that protect more sensitive information. So not everything is broken ;-)

I must admit that I'm particularly interested in what actually happens. In this regard a couple of points are worth considering.

Drake et. al. say that ways to detect US citizens were removed from software. This suggests deliberate action to avoid legal requirements.

I believe that most people inside the securocracy are decent human beings. I have to take this on faith as legal frameworks are in place to make this unknowable and to ensure that any information released is intrinsically unreliable. That's a problem.

There appears to be some citizen protection by many nation states. Unfortunately we are not dealing with nation states but overlapping sets of state groups. When you take the union of those sources citizen protections appear to be meaningless. I think the rule makers have shot themselves in the foot here.

Snowden got away with a lot, how much was taken by indivuals with malevolent intent. They had no idea how much or what Snowden had taken. By the same token they have no idea how much the FSB, the GRU, MPAA, RIAA, Sony, DPRK, Ndrangheta... have got. Conclusion. Don't grab it, then it can't be stolen from you.

Much of the debate is misleading. Google, Facebook, Microsoft, NSA, GCHQ, your ISP, it's all one pot of information with large scale cross leakage. An integrated debate would be welcome.

Thanks for your analysis. As usual, it's a rare useful addition to the discussion.

As I understood what I've read re: Snowden, he wasn't making claims about legality so much as access and ability.

I'm clearly not anywhere near the expert that most of the authors and commenters seem to be here. However, I have tried to read as much as possible over the years to try and keep generally informed.

I was lead, in a roundabout way, to the subject of Sigint and US foreign and domestic targeting when I started following the RSA/PGP/Phil Zimmerman story in 1994. That lead me to read Bamford's books. Since then, I've read what he wrote and purchased what he has written since.

Over the years I've made comments in general conversation that the US capabilities are comprehensive and would probably shock most people, and more often than not people disregarded what I said as hyperbole or conspiratorial paranoia.

Between that information and a few other things I followed, specifically the Mitnick manhunt, in which it was reported that he had used (I'm assuming he also built the device) a cell site siimulator or some other device in keeping ahead of the FBI and Secret Service and other FED agencies hunting him.

Point being, I wasn't surprised when the shit hit the fan re: Snowden, although the specifics of breadth and capability in detail were pretty incredible.

So, after rambling, I'm getting to my question. Bamford wrote in one of his books about how the NSA had funneled information it came across about domestic crime to DEA/FBI and other agencies, but that never allowed disclosure and found it easier to discontinue forwarding the information out of fears that it would eventually make capabilities known in a court record or some other format.

For that reason, although I've always considered most of my communication to be easy for the gov't to collect but not interesting. Even after the disclosures about the PacBell NSA Room and passage of the Patriot Act I still figured any questionable content of mine or anyone else in the US that didn't concern terror would also not be interesting or useful.

Then, I started to hear about Stingrays, Nondisclosure agreements of US law enforcement with Harris Corp, refusal to disclose docs in FOIA requests, monitoring of activists and demonstrations and general lawlessness by police agencies and a significant increase in the focus of these technologies on US citizens for legal and illegal activity alike. Then I started to hear about parallel construction, which seems to me to be a euphemism for lie, and seems like a serious problem with regards to subversion of the legal system in the US regarding US citizens.

What's the point of a court when it is lied to by law enforcement. Same holds true for a prosecutor. Now, agencies are directed to lie with the blessing of the system.

US Red Phones

Sequence of the real Red Phones, not for the Washington-Moscow Hotline, but for the US Defense Red Switch Network (DRSN). The phones shown here were in use from the early eighties up to the present day and most of them were made by Electrospace Systems Inc. They will be discussed on this weblog later.

Contact

For questions, suggestions and other remarks about this weblog in general or any related issues, please use the following e-mail address: info (at) electrospaces.net

For sending an encrypted e-mail message, you can use the PGP Public Key under this ID: B4515E04

You can also communicate through Twitter: @electrospaces or XMPP/Jabber chat by using the address electrospaces (at) jabber.de

The title picture of this weblog shows the watch floor of the NSA's National Security Operations Center (NSOC) in 2006. The URL of this weblog recalls Electrospace Systems Inc., the company which made most of the top level communications equipment for the US Government. All information on this weblog is obtained from unclassified or publicly available sources.QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==